Slashdot Mirror
Tear Down the Firewall
lousyd writes "'What's the best firewall for servers?' asked one Slashdot poster. 'Give up the firewall' answers Security Pipeline columnist Stuart Berman. Through creatively separating server functions into different, isolated servers, and assigning them to a three tiered system of security levels, his company has almost completely eliminated the need for (and headache of) network firewalls. "Taking that crutch away has forced us to rethink our security model," Berman says. The cost of the added servers is greatly minimized by making them virtual servers on the same machine, using Xen. With the new security-enhanced XenSE, this might become easier and more possible. What has you chained to your firewall?"
Let me try selling THIS to my boss, with the Cisco guys whispering sweet nothings in his ear about PiX Firewalls and all this wonderful "solution in a box".
Or is this another Flavor of the Month event?
Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo! http://goo.gl/J9bkO
By defining simple ACLs, we further isolate our backend servers.
Personally, I've never found ACLs as easy (or as flexible) as other firewall solutions. But in any event, ACLs are firewalls, call them what you will....
If you're not living on the edge, you're just taking up space!
It's one thing to give up the firewall if all you have behind it is servers. It's quite another to give it up if you're protecting user workstations. While it's certainly possible to carefully arrange your external services such that they are secure, it's really only possible if you have absolute control over every single device behind the firewall.
Ummm yeah I know what services are running.. some (like SSH) I only want me to be able to get to from certain IP addresses. Some (like on Windows) are needed for the machine to talk to Domain Controllers (but you certainly don't want joe-smith talking to your machine on port 139).. so yeah there are a lot of reasons to use firewalls!
I agree that firewalls should not be implemented as a crutch in lieu of a good security model for your servers, but why not have that and a firewall. TFA makes a good point but most sysadmins who have any experience with good security already know it. Only run the services needed on the servers dedicated to those services.
But it seems to me that rejecting all other traffic with a firewall is a good added measure of security that can only improve the overall security of your setup. It also makes you less visible to attackers and wastes there time.
I'm running all kinds of crud on the intranet that I don't want exposed to the Internet, such as NetBIOS on Windows and some permissive SAMBA shares on assorted servers.
;)
So, the services are running so that I can use them from the inside (with any device on the inside, without mucking with ACLs, additional equipment aside from a switch, etc.) without having the services exposed to the outside.
Now, if you're running services which aren't being used by legitimage users at all...
Before everyone starts posting "I've been doing that for ten years" and "of course, firewalls are teh suk", let me say that while TFA does make some good points (about "perceived safety" of firewalls), I still do not see any way that its conclusion would be correct.
First off, redundancy in security is good. You want multiple layers of security. It does not make sense to remove a layer just because you installed a different (non-overlapping) mechanism in place.
Second, firewalls are a policy enforcement mechanism, and a single point of control. Under stress it is much easier to control access from a firewall than the eclectic mix of machines behind it. The point needs to be made that while securing each machine is a good idea, that should not be done to replace the firewall.
Visible services can't be assumed to be bulletproof. Compromising the frontend machines can result in them becoming rogue agents (DDOS and whatnot). Firewalls attempt to mitigate this risk by blocking outgoing access and thus rendering the network less useful to the attacker. Without a firewall, well...
The network of machines is secure today, after a lot of careful design work. Is it stable ? Will it still be secure after the next site upgrade ?
While more complex systems can occasionally be more secure by their inherent obfuscation, verifying such systems from the inside is also difficult, but manageable given the manpower. When the security components are mutable though (they are OS services and custom software which are upgraded often), the complexity of the system works against us, making it that much harder to verify that all the combinations still result in a secure system. Not to mention that the machine verification involves application-level checking which is either laborious or impossible for the network admin to do.
From TFA: Meanwhile, the clients sit in the clear. We protect them by boosting their immunity levels so that they can exist in harsher conditions. They run secure OSs, fully patched with current anti-virus protection.
So our definition of a secure OS is Windows (what other OS needs to have "current anti-virus protection"). That sure explains a lot. I suppose those machines wouldn't happen to have the firewall enabled, would they ?
I have heard this guy propose his nonsense in person. This is a classic case of throwing the baby out of the bathwater; his proposition summarizes as "firewalls aren't a silver bullet, so they're worthless."
He proposes that we secure all individual boxes, which is umpteen times more difficult, more time-consuming, and less secure.
He's not an innovator; he's a contrarian.
I, for one, welcome our new Antichrist overlord.
...my philosophy was "I'm running port scanning to make sure 22, 80 and 443 are the only ports listening on the boxes - why should I put a firewall in front of it to only let those ports through? ... But, unfortunately, you can't just throw the firewalls out even if you don't need them.
But you do need them. You should assume that your servers will get rooted, in which case they may soon be listening on any other ports and initiating connections to anywhere also on any port, or even DoS'ing the rest of your internal machines or worse still machines external to your network.
The power of a dedicated firewall, is that since it may be dedicated to tasks such as segmenting networks, packet filtering, prioritization and bandwidth shaping, but with no accessible service, it is highly unlikely to become rooted and thus is perfect for enforcement of rules or even damage control should a machine become rooted.
You can do so much with a dedicated firewall and whatever you do, it will not just get disabled once an externally reachable service gets rooted.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
Yes but not on your existing hardware: running Windows XP will require hardware virtualisation support. Intel and AMD will be releasing this shortly (Q2 this year for Intel, Next year for AMD).
:-)
You won't need to wait for XenSE to achieve this, though - one of the Xen 3.x series will probably be able to do everything you want. A number of people are running a firewall in a separate virtual machine using Xen 2.0 (which can't run Windows). You're able to assign the network device directly to the firewall domain for better performance: no need to "double virtualise" the network card
OpenBSD, whilst doable, probably wouldn't be the best choice for the firewall virtual machine: a native Xen-aware OS such as Linux, NetBSD or FreeBSD would be better[*].
[*] assuming there isn't a port of OpenBSD by that stage.